Multiple Security Groups

Step

Operation

Command

1

Make sure that your Management Server runs version R76 or higher.

If not, upgrade your Management Server.

# fwm ver

2

Back up your 60000/40000 Security Platform.

2a

On each Chassis, create a snapshot of one SGM.

Note - Run the commands on an arbitrary SGM on Chassis A and on Chassis B.

> set global-mode 0

> add snapshot pre_upgrade

2b

On each Chassis, make sure that the snapshot was created successfully.

> show snapshots

2c

On each Chassis, export the snapshot.

> set snapshot export pre_upgrade path /var/log/

> show snapshots

> set global-mode 1

2d

On each Chassis, copy the exported snapshot to an external media or a remote server:

/var/log/pre_upgrade.tgz

2e

On each Chassis, collect configuration settings and system status information into a data file:

/var/log/asg_report.<host_name>_<date_stamp>_tar.gz

> asg_info -f

3

On a Chassis in VSX VSLS mode only:

Change the VSX mode from the VSLS to the High Availability.

> set chassis high-availability mode 0

4

Download the R76SP.50 ISO image required for Multiple Security Groups from the R76SP.50 60000/40000 Security Platforms Home Page.

You need this image during the upgrade procedure.

Step

Operation

Command

5

Set Chassis B to administratively DOWN state.

# asg chassis_admin –c <Chassis_B_ID> down

6

On Chassis B, perform a Clean Install of the required R76SP.50 ISO on each SGM.

Install the image on all the SGMs at the same time, or create a bootable USB media for each SGM.

7

On Chassis B, wait until all members are in UP state and enforcing policy.

> asg monitor

8

On Chassis B, reset the SSMs to factory default.

Important - Run these commands from a serial connection on Chassis B. This reset interrupts all traffic, including the SSH.

> asg_chassis_ctrl reload_ssm_default 1

> asg_chassis_ctrl reload_ssm_default 2

9

On Chassis B, install the required Jumbo Hotfix Accumulator.

9a

Copy the installation *.tgz package to the SMO:

Check_Point_R76SP_50_upgrade.linux.tgz

9b

Create a temporary directory on the SMO in the /home/admin/ directory.

> mkdir -v /home/admin/temp

If such temporary directory already exists, first delete it with this command:
> g_all rm -rf /home/admin/temp

9c

Extract the *.tgz package to the temporary directory.

> tar -xvzf /home/admin/Check_Point_R76SP_50_upgrade.linux.tgz -C /home/admin/temp/

9d

Start the Jumbo Hotfix Accumulator installation script.

Important - Make sure to run the script from Chassis A and not Chassis B.

> cd /home/admin/temp/

> ./AsgInstallScript -b chassis <Chassis_B_ID>

10

Make sure all SGMs show the correct version.

Note - SGMs on Chassis A show as failed because at this time, SGMs on Chassis A and SGMs on Chassis B have different versions. This is normal. Continue to the next step.

# asg_version -v

11

Set Chassis B to administratively UP state.

# asg chassis_admin –c <Chassis_B_ID> up

12

On Chassis B, run the diagnostics.

> asg policy verify –a [-vs all]

> asg_route -a [--vs all]

13

Make sure that Chassis B is UP and enforces security policy.

Important - You must correct all errors shown by the diagnostics before you continue to the next step.

> asg stat -v

Step

Operation

Command

14

Set Chassis A to administratively DOWN state.

> asg chassis_admin -c <Chassis_A_ID> down

15

On Chassis B, make sure that all SGMs are UP, and that traffic flows normally.

Important - Make sure Chassis B works correctly before you upgrade Chassis A.

> asg monitor [-vs all]

> asg perf [-vs all] -v

Step

Operation

Command

16

Set Chassis A to administratively DOWN state.

# asg chassis_admin –c <Chassis_A_ID> down

17

On Chassis A, perform a Clean Install of the required R76SP.50 ISO on each SGM.

Install the image on all the SGMs at the same time, or create a bootable USB media for each SGM.

18

On Chassis A, wait until all members are in UP state and enforcing policy.

> asg monitor

19

On Chassis A, reset the SSMs to factory default.

Important - Run these commands from a serial connection on Chassis A. This reset interrupts all traffic, including the SSH.

> asg_chassis_ctrl reload_ssm_default 1

> asg_chassis_ctrl reload_ssm_default 2

20

On Chassis A, install the required Jumbo Hotfix Accumulator.

20a

Copy the installation *.tgz package to the SMO:

Check_Point_R76SP_50_upgrade.linux.tgz

20b

Create a temporary directory on the SMO in the /home/admin/ directory.

> mkdir -v /home/admin/temp

If such temporary directory already exists, first delete it with this command:
> g_all rm -rf /home/admin/temp

20c

Extract the *.tgz package to the temporary directory.

> tar -xvzf /home/admin/Check_Point_R76SP_50_upgrade.linux.tgz -C /home/admin/temp/

20d

Start the Jumbo Hotfix Accumulator installation script.

Important - Make sure to run the script from Chassis A and not Chassis B.

> cd /home/admin/temp/

> ./AsgInstallScript -b chassis <Chassis_A_ID>

21

Make sure all SGMs show the correct version.

Note - SGMs on Chassis B show as failed, or show a previous version. This is normal. Continue to the next step.

# asg_version -v

22

Set Chassis A to administratively UP state.

# asg chassis_admin –c <Chassis_A_ID> up

23

On Chassis A, run the diagnostics.

> asg policy verify –a [-vs all]

> asg_route -a [--vs all]

24

Make sure that Chassis A is UP and enforces security policy.

Important - You must correct all errors shown by the diagnostics before you continue to the next step.

> asg stat -v

Step

Operation

Command

25

Set Chassis B to administratively DOWN state.

> asg chassis_admin -c <Chassis_B_ID> down

26

On Chassis A, make sure that all SGMs are UP, and that traffic flows normally.

> asg monitor [-vs all]

> asg perf [-vs all] -v

Step

Operation

Command

26

Make sure all SGMs show the correct version.

> asg_version -v

27

On a Chassis in VSX VSLS mode only:

Change the VSX mode from the High Availability to the VSLS.

> set chassis high-availability mode 4

28

Make sure all SGMs and SSMs are up to date, and that the system is configured correctly.

> asg diag verify